operationsguyhttp://blogs.technet.com/b/operationsguy/atom.aspxTelligent Community 7.1.12.36162 (Build: 7.1.12.36162)2010-11-09T19:22:00ZIIS7 WMI Acess through Powershell to recycle Apppoolshttp://blogs.technet.com/b/operationsguy/archive/2011/06/21/iis7-wmi-acess-through-powershell-to-recycle-apppools.aspx2011-06-22T04:18:00Z2011-06-22T04:18:00Z<p>Recently while performing application installs, I had to recycle apppools on around 100 servers I was thinking this should be easy, it&nbsp;should be just&nbsp;a one liner</p>
<p><strong>Invoke-command -computername (get-content <a href="file://utilityserver/serverlist/servers.txt">\\utilityserver\serverlist\servers.txt</a>) -scriptblock {import-module webadministration;Restart-WebAppPool -name myapppool}</strong></p>
<p>Or for all the apppools</p>
<p><strong>Invoke-command -computername (get-content <a href="file://utilityserver/serverlist/servers.txt">\\utilityserver\serverlist\servers.txt</a>)&nbsp;-scriptblock {import-module webadministration;gci 'IIS:\AppPools' -verbose | Restart-WebAppPool}</strong></p>
<p>But suddenly I found out that it was not as easy as I thought as PowerShell remoting was not set up , I had to look at other alternatives like a for loop in conjunction with psexec and appcmd to get the job done. This greatly bugged me though, I remembered that IIS had changed the WMI namespace to root\webadministration from root\MicrosoftIISv2, and should be able to use PowerShell to remote in through WMI and recycle the apppools without PowerShell remoting. Researching IIS WMI and powershell I found that there was not much documentation on it that can be really helpful. In the process of writing this it turned into a PowerShell advanced function that will</p>
<ul>
<li>Recycle all apppools on remote server</li>
<li>Recycle specified apppool on remote server</li>
<li>Take pipeline inputs of server names</li>
<li>Check for application pool existence before executing the recycle</li>
<li>Check if server is online before executing the Script.</li>
</ul>
<p>Here is the advanced function, load this into your profile and use it like a cmdlet</p>
<p>PS C:\Windows\system32&gt; get-help Operationsguy-Recycleapppool</p>
<p>Operationsguy-Recycleapppool [-Server] &lt;String&gt; [-apppool] &lt;String&gt; [-Verbose] [-Debug] [-ErrorAction &lt;ActionPreference&gt;] [-WarningAction &lt;ActionPreference&gt;] [-ErrorVariable &lt;String&gt;] [-WarningVariable &lt;String&gt;] [-OutVariable &lt;String&gt;] [-OutBuffer &lt;Int32&gt;]</p>
<p><b><i>Function Operationsguy-Recycleapppool{</i></b><br /><b><i>[CmdletBinding()]</i></b><br /><b><i>param(</i></b><br /><b><i>[parameter(Mandatory=$true, Position=0,ValueFromPipeLine= $true)]</i></b><br /><b><i>[string]$Server, </i></b><br /><b><i>[parameter(Mandatory=$true,Position=1)]</i></b><br /><b><i>[string]$apppool </i></b><br /><b><i>)</i></b><br /><b><i>process{</i></b><br /><b><i>if ((Test-Connection $Server -count 1 -ErrorAction SilentlyContinue) -and ($apppoolarray=gwmi -namespace "root\webadministration" -Class applicationpool -ComputerName $Server -Authentication 6 -Property name -ea 'SilentlyContinue' | select -ExpandProperty name))</i></b><br /><b><i>{</i></b><br /><b><i>if ($apppool -eq "ALL")</i></b><br /><b><i>{gwmi -namespace "root\webadministration" -Class applicationpool -ComputerName $Server -Authentication 6 | Invoke-WmiMethod -Name recycle -ErrorAction SilentlyContinue</i></b><br /><b><i>if ($?)</i></b><br /><b><i>{Write-Host "All apppools recycled on $server"}</i></b><br /><b><i>else {Write-Host -BackgroundColor Red "One apppool is either stopped or did not start backup"} </i></b><br /><b><i>}</i></b><br /><b><i>elseif ($apppool) </i></b><br /><b><i>{if ($apppoolarray -contains $apppool)</i></b><br /><b><i>{</i></b><br /><b><i>gwmi -namespace "root\webadministration" -ComputerName $server -Authentication 6 -Query "select * from applicationpool where name='$apppool'" | Invoke-WmiMethod -Name recycle -ErrorAction SilentlyContinue</i></b><br /><b><i>if ($?)</i></b><br /><b><i>{Write-Host "$apppool recycled on $server"}</i></b><br /><b><i>else</i></b><br /><b><i>{Write-Host "$apppool Apppool state Error"}</i></b><br /><b><i>}</i></b><br /><b><i>else</i></b><br /><b><i>{Write-Host -BackgroundColor Red "$apppool does not exist on $server"}}</i></b><br /><b><i>}</i></b><br /><b><i>else </i></b><br /><b><i>{Write-Host -BackgroundColor Red "$server not reachable or WMI Windows feature for IIS not installed"}</i></b><br /><b><i>}</i></b><br /><b><i>}</i></b><br /><br /></p>
<p><b>e.g: "localhost","mypc" | Operationsguy-Recycleapppool -apppool all</b></p>
<p><b>get-content d:\servers\server.txt | Operationsguy-Recycleapppool -apppool myapppool<br /><br /></b></p>
<p>For this to work WMI connectivity between management server and remote hosts is needed, also IIS Management Scripts and Tools component under Management Tools needs to be installed on the remote IIS 7 or 7.5 machines. This will not work for IIS 6.0 servers (try replacing the namespace with root\MicrosoftIISv2 in the function, I have not tried it it may work).</p>
<p>See you guys soon with another post on AD PowerShell cmdlets and how it can be used to audit your groups and get some good information about your servers.</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3436766&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxRemotely tweak powershell execution policies without powershell remoting. http://blogs.technet.com/b/operationsguy/archive/2011/04/21/remotely-tweak-powershell-execution-policies.aspx2011-04-21T21:16:00Z2011-04-21T21:16:00Z<p>Today I was trying to schedule a powershell command to execute via scheduled task on all my machines. &nbsp;Copied the powershell script to execute on all the machines ran a for loop as follows to create the scheduled tasks on all the machines. </p>
<p>for /f %i in (<a href="file://\\utilityserver\servers.txt">\\utilityserver\servers.txt</a>) do schtasks /s %i /create /TN custom_task /TR "powershell -nologo -file c:\localbin\task.ps1" /ST 16:00 /SC MINUTE /MO 5 /RU &lt;Domain\user&gt; /RP "XXXXX"</p>
<p>The tasks were created fine on all the machines but when I tried to run , it failed. Tried executing the powershell script locally on a server and it threw me a error message about execution policy. Now I have to enable the execution policy on around 100 servers which unfourtunately did not have powershell remoting setup. When you set a execution policy in powershell it actually modifies registry value for ExecutionPolicy at the following location.</p>
<p><span style="background-color: #ffffff;"><strong>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell <em>( I found this by running procmon) .</em></strong></span></p>
<p><span style="background-color: #ffffff;">If you have a unrestricted policy your registry will read like this </span></p>
<p>reg query &nbsp;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell</p>
<p>&nbsp;&nbsp;&nbsp; Path&nbsp;&nbsp;&nbsp; REG_SZ&nbsp;&nbsp;&nbsp; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe<br />&nbsp;&nbsp;&nbsp; ExecutionPolicy&nbsp;&nbsp;&nbsp; REG_SZ&nbsp;&nbsp;&nbsp; <span style="background-color: #ffff00;">Unrestricted</span></p>
<p><span style="background-color: #ffffff;">Now to set this across 100 machines </span></p>
<p><span style="background-color: #ffffff;">for /f %i in (<a href="file://\\utilityserver\servers.txt">\\utilityserver\servers.txt</a>) do reg add <a href="file://\\baymsftvwbw55\HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell">\\%i\HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell</a> /v ExecutionPolicy /t REG_SZ /d Unrestricted /f </span></p>
<p><span style="background-color: #ffffff;">Replace the value with Unrestricted | RemoteSigned | AllSigned | Restricted | Bypass which ever you want to set. This key will set the execution policy&nbsp;for all the users on a machine. You can also use the set-execution policy cmdlet if you have powershell remoting setup.</span></p>
<p><span style="background-color: #ffffff;">This will save you a bunch of time , or I will suggest you make this a part of your build process. </span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3423516&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxSharePoint 2010 sandboxed code solutions and web proxy.http://blogs.technet.com/b/operationsguy/archive/2011/01/17/sharepoint-2010-sandboxed-code-solutions-and-web-proxy.aspx2011-01-18T05:01:00Z2011-01-18T05:01:00Z<p>Recently I was working on an escalation where my customer has a sandbox code solution deployed into his site collection, the sandbox site collection was calling an external URL to fill in some data into the webpage and it is not working. The same code was working in production and customer was having issues with making this work in the internal environment. The only difference between production and internal environments were external environments could directly connect to the internet while the internal environments was behind a web proxy. Thinking this was as no brainer I started tweaking the C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config" proxy nodes (assuming this was SharePoint used asp.net) with no luck. Tried even inserting the proxy nodes "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\UserCode\web.config"&nbsp;&nbsp; and "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\UserCode\SPUCWorkerProcessProxy.exe.config" with no success. Looking at the ulslogs I could actually see the sandboxed code services was trying to spin up a new worker process and sleeping and finally dying with the following exception</p>
<p><em><span style="font-size: x-small;"><span style="background-color: #ff6600;">Error activating the worker process manager instance within the worker process. - Inner Exception: System.InvalidOperationException: Unable to activate worker process proxy object within the worker process: ipc://8ce29399-c3b3-4c1f-aec8-2e1bf132b0dd:7000&nbsp;&nbsp;&nbsp;&nbsp; at Microsoft.SharePoint.UserCode.SPUserCodeWorkerProcess.CreateWorkerProcessProxies</span></span></em></p>
<p><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-85-99/7242.uls.png" border="0" /></p>
<p>Trying to find out if it was really connecting to the web proxy, I fired up netmon that is when I found the interesting trace below, even though the proxy node is set up in the config files the sandboxed solution is not honoring it, it is directly trying to connect and retransmitting again and again till we reach the maximum TCP retransmits</p>
<p><img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-85-99/7723.ntmon.png" border="0" /></p>
<p>&nbsp;Now I am sure what the cause of the issue is but still not sure about the solution, turned to my fav search engine (<a href="http://www.bing.com/">www.bing.com</a>) J .Reading multiple sources on how applications can use proxies I reached at the following conclusion any .net applications on IIS will use .net proxy in the web.config, but there is also a case where some applications can use Winhttp settings for proxies. &nbsp;Having ruled out the .net proxy, I decided to set up some winhttptracing to see if I can find anything. Here is an excellent resource on how to do it <a href="http://blogs.msdn.com/b/jpsanders/archive/2009/05/28/how-to-enable-winhttp-tracing-on-vista-2008-and-windows-7.aspx">http://blogs.msdn.com/b/jpsanders/archive/2009/05/28/how-to-enable-winhttp-tracing-on-vista-2008-and-windows-7.aspx</a>.&nbsp; What I am expecting at this point to see any signs of the external URL call in the winhttptrace, you can use netmon to read through an etl trace slick isn't it? Looking at the WINHTTP_MicrosoftWindowsWinHttp conversation that has a WEBIO_MicrosoftWindowsWebIO branch I could see </p>
<p>.<img src="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-85-99/8233.netm.png" border="0" /></p>
<p>&nbsp;Now convinced that the sandboxed code solution is using Winhttp proxy to make outbound URL calls I set the winhttp using netsh referring <a href="http://technet.microsoft.com/en-us/library/cc731131(WS.10).aspx">http://technet.microsoft.com/en-us/library/cc731131(WS.10).aspx</a></p>
<p><b>netsh winhttp proxy&gt;set proxy-server="http=&lt;internal proxy&gt;:80" bypass-list= "*.&lt;machine domain&gt;.com" </b></p>
<p>PS: Make sure that you add the bypass list for all the internaldomains that needs to bypassproxy otherwise you will have a situation where your backend communication will go through proxy which you may not want.&nbsp;</p>
<p>After setting the winhttpproxy the sandboxcodesolutions was working as expected. One more issue resolved many to come.&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3380894&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxAutomated Eventlog export - Windows 2008 & 2008 R2http://blogs.technet.com/b/operationsguy/archive/2011/01/04/automated-eventlog-export.aspx2011-01-05T04:01:00Z2011-01-05T04:01:00Z<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">It is common to receive requests for errors and exceptions from production servers by application development teams, providing this data on demand is less efficient due to the overhead of support procedures , hence the need to automate this . For environments where you have dedicated development team and do not require filtering between different application errors&nbsp;you can do the following<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><span style="font-family: Symbol; color: black; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 12.0pt;"><span style="mso-list: Ignore;">&middot;<span style="line-height: normal; font-variant: normal; font-style: normal; font-family: 'Times New Roman'; font-weight: normal;">&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">Export the event log with a scheduled task <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><span style="font-family: Symbol; color: black; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 12.0pt;"><span style="mso-list: Ignore;">&middot;<span style="line-height: normal; font-variant: normal; font-style: normal; font-family: 'Times New Roman'; font-weight: normal;">&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">Write the exported log to a remote share<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><span style="font-family: Symbol; color: black; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 12.0pt;"><span style="mso-list: Ignore;">&middot;<span style="line-height: normal; font-variant: normal; font-style: normal; font-family: 'Times New Roman'; font-weight: normal;">&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">Time stamp the exported log <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><span style="font-family: Symbol; color: black; mso-fareast-font-family: Symbol; mso-bidi-font-family: Symbol; mso-bidi-font-size: 12.0pt;"><span style="mso-list: Ignore;">&middot;<span style="line-height: normal; font-variant: normal; font-style: normal; font-family: 'Times New Roman'; font-weight: normal;">&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">Provide access to the share for the development team&nbsp;<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; font-size: 12pt; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">When operation engineers think about scheduled tasks the first thing they think is the overhead of managing a account and changing passwords on that , since windows 2008 we have the capability of running scheduled tasks under network service which is great as it takes away the overhead of password management. One point to be noted is if you are running a process under network service that needs access on network resources they are accessed under the identity of machine account. You can export the event log by using the windows 2008 and higher by the command line utility wevtutil and date, time stamp the file using PowerShell cmdlet get-date . Assume you write to the remote share </span><a href="file://utilityserver/logdump"><span style="color: blue;"><span style="font-size: small;">\\utilityserver\logdump</span></span></a><span style="font-size: small;">&nbsp; and the machine account where you are exporting the logs via scheduled tasks has write access to the share. <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">On the utility server create shares&nbsp;and provide necessary permissions using the following <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">net share logdump=D:\eventlogdump /grant:&lt;domain\machineaccount&gt;$,change</span></b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">icacls&nbsp;D:\eventlogdump&nbsp; /GRANT &lt;domain\machineaccount&gt;:(D,WDAC)</span></b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">On the machine exporting logs save the following as logexport.ps1<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><b><i><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">$share="logdump"<br />$utilityserver="noname"<br />wevtutil epl application </span></i></b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><a href="file://$utilityserver/$share/$(get-date"><b><i><span style="color: blue;">\\$utilityserver\$share\$(get-date</span></i></b></a><b><i>-uformat "%Y_%m_%d_%H_%M_application_$(hostname)").evtx</i></b><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">Run the following to create a scheduled task on the machine <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">schtasks /create /TN log_export /SC MINUTE /MO 10 /TR "powershell -file c:\temp\logexport.ps1" /RU "networkservice"</span></b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">Once the job kicks off you can see a file&nbsp;similar to <b>2011_01_05_14_46_application_web1.evtx </b>every 10 minutes.&nbsp;&nbsp; If you want to deploy to number of machines copy the logexport.ps1 to the machine and use <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size: small;"><b><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';">schtasks /s &lt;remotemachinename&gt;&nbsp;/create /TN log_export /SC MINUTE /MO 10 /TR "powershell -file c:\temp\logexport.ps1" /RU "networkservice"</span></b></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">Alternatively if you do not want to retry the command all the time export the scheduled task as an xml file and re-import the xml file on any number of machines. <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">For shared hosting environments where you need segregation between application errors the best way is to log parse the eventlogs, filter it and insert it into a Database&nbsp;and build a UI that enforces role based access control for different applications. The application owners can access the UI to see the exceptions in production. This is how error logs are passed on to development teams in the shared hosting model of www.microsoft.com we will cover that in a different blog post.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">In the next post we will look at a scenario where I had fun with Sandbox code solutions in SP2010. <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif'; color: black; mso-fareast-font-family: 'Times New Roman';"><span style="font-size: small;">&nbsp;<o:p></o:p></span></span></p>
<p>&nbsp;</p>
<p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3378446&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxAdd security for default WSMAN configuration - Remotely http://blogs.technet.com/b/operationsguy/archive/2010/12/06/set-up-powershell-remoting-remotely.aspx2010-12-07T03:49:00Z2010-12-07T03:49:00Z<p>Recently I was chatting with one of my friends&nbsp; about Powershell remoting&nbsp; and WSMAN . He was telling about how he got flagged by security for running WINRM on 5985 which is the default port on windows 2008r2 . I was like are you serious ? 5985 is not a standard port and his reply was this is the default and people know about it additionally they had windows firewall turned off using a domain policy. Over the conversation going back and forth I agreed to help him come up with some thing that would help him change it so that he keep security guys happy at the same time he get to enjoy the powershell remoting features which rides on top of winrm. </p>
<p>I started looking at it . That is when I understood there is a reason why security thinks it&nbsp; not "secure". I dumped the winrm default config on my local machine running windows 2008 r2&nbsp; </p>
<p>C:\Users\vbaby&gt;winrm enumerate winrm/config/Listener<br />Listener<br />&nbsp;&nbsp;<span style="background-color: #ffffff;"><span style="color: #000000;">&nbsp; <span style="background-color: #ff0000;">Address = *</span></span><span style="color: #000000;"> -- All the configured addresses</span>. <br />&nbsp;&nbsp;&nbsp; Transport = HTTP</span><br />&nbsp;&nbsp;&nbsp; <span style="background-color: #ff0000;">Port = 5985</span>&nbsp;&nbsp; -- Default port <br />&nbsp;&nbsp;&nbsp; Hostname<br />&nbsp;&nbsp;&nbsp; Enabled = true<br />&nbsp;&nbsp;&nbsp; URLPrefix = wsman<br />&nbsp;&nbsp;&nbsp; CertificateThumbprint<br />&nbsp;&nbsp;&nbsp; <span style="background-color: #ff0000;">ListeningOn = 192.168.0.4, 127.0.0.1, ::1</span> --- All IPs are listening for Winrm </p>
<p>Now&nbsp; I am thinking the same as my friend we need to change this in prod environment.&nbsp; All the machines in this scenario has 2 interfaces Customer facing, Admin. The security suggested measure was to lock WINRM on the admin interface on a non standard port and get the port opened through the Back end firewall.&nbsp; I could come up with a script&nbsp; in some time to do this as follows</p>
<p><b><i>gci WSMan:\localhost\Listener | Remove-Item -Recurse&nbsp; <br />$port="23001"<br />$IP=gwmi Win32_NetworkAdapterConfiguration | ? {$_.ipaddress -like '198*'} | select -expandproperty ipaddress<br />new-item -path WSMan:\localhost\Listener -Transport http -Address "ip:$IP" -Port 23001 -force</i></b></p>
<p>The first line removes the default listener, second line sets a non standard port, third line find the interface here all the admin interfaces started with 198. Fourth line created a listener&nbsp; on the IP at the specified port. </p>
<p>Asked him to save it as &lt;name&gt;.ps1 and run it on all the machines he want to configure.&nbsp; Send this off to him . That evening I receive an extension or the same request&nbsp; " I need to run this on 200 + machines help me run it remotely".&nbsp;&nbsp; </p>
<p>Looking at it I decided to use Psexec . Testing it Psexec was looking okay , only problem was I had to press enter twice after each execution , this was not looking good suddenly this is turning complex . Doing some online searches I found this<span style="text-decoration: underline;"> http://www.leeholmes.com/blog/2007/10/02/using-powershell-and-psexec-to-invoke-expressions-on-remote-computers/ </span>. Things were looking good after that . I saved the above script as remoting.ps1 on to&nbsp; my utility server after that used a for loop to loop through my servers to test it. Here is the for loop </p>
<p><i><b>for /f %i in (\\utilityserver\servers\server.txt) do psexec \\%i /u domain\&lt;user&gt; /p &lt;pass&gt; cmd /c "echo .| powershell -file \\utilitserver\scripts\remoting.ps1"</b></i></p>
<p>PsExec v1.96 - Execute processes remotely<br />Copyright (C) 2001-2009 Mark Russinovich<br />Sysinternals - www.sysinternals.com<br /><br />&nbsp;&nbsp; WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener<br /><br />Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Keys<br />----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----<br />Listener_1226527951&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Container&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {Address=IP:192.168.0.10, Tran...</p>
<p>cmd exited on web9&nbsp; with error code 0.</p>
<p>Now I have new listener on all may machines exactly the way I wanted on a particular port , on a particular IP all set up remotely . The only issue&nbsp; is when I run remote power shell as invoke-command tries to 5985 by default.</p>
<p>&nbsp;Invoke-Command -ComputerName web19 -ScriptBlock {gci cert:\localmachine\my}</p>
<p><br /><span style="background-color: #ff0000;">[web19] Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Veri<br />&nbsp;&nbsp;&nbsp; + CategoryInfo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : OpenError: (:) [], PSRemotingTransportException<br />&nbsp;&nbsp;&nbsp; + FullyQualifiedErrorId : PSSessionStateBroken</span></p>
<p>I have to specify the port now </p>
<p>Invoke-Command -ComputerName web19&nbsp; -ScriptBlock {gci c:\ } -Port 23001</p>
<p>Mode&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LastWriteTime&nbsp;&nbsp;&nbsp;&nbsp; Length Name<br />----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -------------&nbsp;&nbsp;&nbsp;&nbsp; ------ ----<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4/8/2010&nbsp; 12:08 PM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; compaq<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4/8/2010&nbsp; 12:10 PM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CPQSYSTEM<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4/8/2010&nbsp; 12:08 PM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hp<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7/2/2010&nbsp;&nbsp; 7:57 AM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inetpub<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7/2/2010&nbsp;&nbsp; 8:00 AM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; localbin<br />d----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7/13/2009&nbsp;&nbsp; 8:20 PM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PerfLogs<br />d-r--&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8/8/2010&nbsp; 11:19 AM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Program Files<br />d-r--&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8/8/2010&nbsp; 11:19 AM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Program Files (x86)</p>
<p>&nbsp;</p>
<p>Looks like problem solved. Send this off to my friend , got&nbsp; back a reply all good. </p>
<p>If you are interested to know how WSMAN works over a port when you even do not have IIS on a machine , try this from command prompt </p>
<p><i><b>netsh http show urlacl</b></i></p>
<p>Reserved URL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http://+:23001/wsman/<br />&nbsp;&nbsp; User: NT SERVICE\WinRM<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Listen: Yes<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Delegate: No<br />&nbsp;&nbsp; User: NT SERVICE\Wecsvc<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Listen: Yes<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Delegate: No<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SDDL: D:(A;;GX;;;....) </p>
<p>You can see that the listener is created at the http.sys level. </p>
<p>In the next post we will look at having some fun with scheduled tasks and wevtutil.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3373458&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxProvide access to private keys -- Commandline vs Powershellhttp://blogs.technet.com/b/operationsguy/archive/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell.aspx2010-11-29T19:35:00Z2010-11-29T19:35:00Z<p style="text-align: left;"><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">On </span></span></span><a href="http://www.microsoft.com"><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">www.microsoft.com</span></span></span></span></span></a><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">&nbsp;we have a number of applications that use certs to&nbsp; access other web services, the way we do is by installing the certificate with the private key into the local machine store and provide access to the application pool identity to the private key and use the serial number or the thumbprint of the certificate in the web.config of the application. One of the key challenge was to script out the private key access to the application pool identity across the server farm . There are 2 ways to do it</span></span></span></span></span></p>
<ul style="text-align: justify;">
<li><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Command line - Using Winhttpcertcfg </span></span></span></span></li>
<li><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Powershell - Just to explore the new cooler side </span></span></span></span></li>
</ul>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">&nbsp;Winhttpcertcfg was primarily for windows 2000/2003 but it works well on windows 2008 &amp; r2 :). You can download it at </span></span></span></span><a href="http://www.microsoft.com/downloads/en/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&amp;displaylang=en"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">http://www.microsoft.com/downloads/en/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&amp;displaylang=en</span></span></span></span></a><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">&nbsp; and install it or extract contents out of it you only need winhttpcertcfg.exe. Copy it to your utility server . As always I am using server names out of a text file, also using psexec as winhttpcertcfg does not have remoting capabilities.( If&nbsp; you do not want to do psexec you can use the Powershell way shown in the next section)<br /></span></span></span></span></p>
<p><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">for /f %i in (servers.txt) do psexec </span></span></span></span></span></b><a href="file://\\%i"><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="text-decoration: underline;">\</span></span></span></span></span></span><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">\%i&nbsp; </span></span></span></span></span></b></a><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></span></span></span></b><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">/U domain\uname /P&nbsp;"XXX" </span></span></span></span></span></b><a href="file://\\utilityserver\tools\winhttpcertcfg\winhttpcertcfg.exe"><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">\\utilityserver\tools\winhttpcertcfg\winhttpcertcfg.exe</span></span></span></span></span></b></a><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"> -g -c LOCAL_MACHINE\MY -s "certsubjectname" -a "\network service" </span></span></span></span></span></b></p>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">where network service is the&nbsp; name of the application pool identity </span></span></span></span></p>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">You can also install the cert if you have the pfx and give access to the apppool identity in&nbsp; a single step using the below<br /></span></span></span></span></p>
<p><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">for /f %i in (servers.txt) do psexec </span></span></span></span></span></b><a href="file://%25i/"><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">\\%i </span></span></span></span></span></b></a><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">/U domain\uname /P&nbsp;"XXX" </span></span></span></span></span></b><a href="file://utilityserver/tools/winhttpcertcfg/winhttpcertcfg.exe"><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">\\utilityserver\tools\winhttpcertcfg\winhttpcertcfg.exe</span></span></span></span></span></b></a><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"> -i </span></span></span></span><a href="file://\\certserver\certs\foo.pfx"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">\\certserver\certs\foo.pfx</span></span></span></span></a><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"> &nbsp;-c LOCAL_MACHINE\MY&nbsp; -a "\network service" </span></span></span></span></span></b></p>
<p style="padding-left: 30px;"><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Let us do the same using Powershell, it turned out to be a&nbsp;bit more complex following is a script I wrote that takes in a thumbprint and apppool identity that needs access as the parameter. </span></span></span></span></span></p>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><i>(Disclaimer : Please use this at your own risk , test once , twice , thrice in your test environment to make sure it produces intended results)</i><i> </i></span></span></span></span></p>
<p><span style="font-size: x-small;"><b><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">if ($args[0] -eq $null -or $args[1] -eq $null){</span></span></span></span></b></span></p>
<p><span style="font-size: x-small;"><b><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Write-Host "Insufficient parameters"<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Write-Host "Usage:certaccess.ps1 thumbprint username"</span></span></span></span></b></span></p>
<p><span style="font-size: x-small;"><b><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: x-small;"></span></span></b></span><span style="font-size: x-small;"><b><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit}</span></span></span></span></b></span></p>
<p><span style="font-size: x-small;"><b><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">else {$TP=$args[0]<br />$uname=$args[1]<br />$keyname=(((gci cert:\LocalMachine\my | ? {$_.thumbprint -like $tp}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName<br />$keypath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"<br />$fullpath=$keypath+$keyname<br />icacls $fullpath /grant $uname`:RX<br />}</span></span></span></span></b></span></p>
<p><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Save the above script as certaccessgrant.ps1. Make sure all the machines you are going to run the script is set up for powershell remoting and has the cert installed. After that </span></span></span></span></span></p>
<p><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><b>invoke-command -computername (get-content servers.txt) -filepath c:\temp\certaccessgrant.ps1 -argumentlist &lrm;118630e5ce55a52dwhlklklSWEwe42qbac2bb4b47bf, testuser</b> </span></span></span></span></span></p>
<p><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">where&nbsp;18630e5ce55a52dwhlklklSWEwe42qbac2bb4b47b is the thumbprint and testuser is the user name that is apppool identity that needs access.</span></span></span></span></span></p>
<p><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></span></span></span></p>
<p><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></span></span></span></p>
<p><b><span style="font-size: x-small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></span></span></span></b></p>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></span></span></p>
<p><span style="font-size: small;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Also&nbsp;if you are dealing&nbsp;with 1 or 2 machines (Windows 2008 &amp; up) &nbsp;you can go the&nbsp;slowest GUI way of&nbsp; start --&gt; run --&gt;MMC--&gt; certificates --&gt; local machine --&gt; cert store </span></span></span></p>
<p><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;">Right click the cert , manage private keys&nbsp;and provide access&nbsp; to the apppool identity on all the machines. In windows 2003 the GUI way is using this tool wsecertificate2.exe&nbsp;details here at <a href="http://msdn.microsoft.com/en-us/library/ms824698.aspx">http://msdn.microsoft.com/en-us/library/ms824698.aspx</a>.</span></span></p>
<p style="text-align: justify;">&nbsp;</p>
<p style="text-align: justify;"><span style="font-family: arial,helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span></p>
<p><span style="font-size: small;">&nbsp;</span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3371861&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxHey dude , one of your servers is broken .Part-2http://blogs.technet.com/b/operationsguy/archive/2010/11/16/hey-dude-one-of-your-servers-is-broken-part-2.aspx2010-11-16T15:42:00Z2010-11-16T15:42:00Z<p>When it comes to to&nbsp; IIS versions, there was a major face lift starting with IIS6 and with that the&nbsp;resource kit got beefy too. For this post we will cover&nbsp;tinyget in the IIS 6 resource kit </p>
<p>if you are looking for a download location <span style="text-decoration: underline;">http://www.microsoft.com/downloads/en/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&amp;displaylang=en </span></p>
<p>The best features of tinyget is </p>
<ul>
<li>You can control the headers that is passed (very handy if you want to do some specific user agent testing )</li>
<li>You can check the status against an expected result .</li>
<li>You can do Looping for requests. </li>
<li>You can test the content body for strings. </li>
<li>Test web pages that use SSL</li>
<li>Test web pages that use authentication or client certificates.</li>
</ul>
<p>the list goes on </p>
<p>Continuing from&nbsp;the earlier post we are going to look at how to test for&nbsp;Content-length if a server hosts multiple websites . Here we use&nbsp;a for loop&nbsp; to execute against a set of servers from temp.txt against <a href="http://www.site1.com">www.site1.com</a> on a server that hosts different sites</p>
<p><em>for /f %i in (C:\temp\server.txt) do @echo %i &amp;&amp; @c:\tools\tinyget.exe -srv:%i -status:200 -uri:"/microsoft/foo.aspx" -rh:"Host: </em><a href="http://www.site1.com\r\nUser-Agent"><em><span style="color: #99cc00;">www.site1.com\</span>r\nUser-Agent</em></a><em>: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\n" -h | findstr "Content-Length:"</em></p>
<p>web33<br />Content-Length: 60<br />web34<br />Content-Length: 60<br />web35<br />Content-Length: 60<br />web36<br />Content-Length: 60<br />web37<br />Content-Length: 60<br />web38<br />Content-Length: 60<br /><span style="background-color: #993300;"><span style="color: #000000;"><span style="background-color: #ff6600;">web39<br />Content-Length: 22 (Broken)</span></span></span></p>
<p>&nbsp;Let us look at another example from the previous Part 1 post where one of you machines is serving a 404&nbsp; and how to capture it with tiny get . it is easy , using the same example , you look for a status of 200 ok to single out the machine that is throwing 404 </p>
<p><em>for /f %i in (C:\temp\server.txt) do @echo %i &amp;&amp; @c:\tools\tinyget.exe -srv:%i -status:200 -uri:"/microsoft/foo.aspx" -rh:"Host: </em><a href="http://www.site1.com\r\nUser-Agent"><em><span style="color: #99cc00;">www.site1.com\</span>r\nUser-Agent</em></a><em>: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\n"</em></p>
<p>web33<br />web34<br />web35<br />web36<br />web37<br /><span style="background-color: #ff6600;">ERROR: 0x1 : Testcase number: 0 - Explain: (null)<br />ERROR: 0x4b8 : returned status code (404) does not match expected one (200)<br />ERROR: 0x1 : URI: /microsoft/foo.aspx, SSL: Nonsecure, CliCert:(null), Auth:Anon Domain:(null) User: (null) Password: (null)Received status/error info: 404 Not Found - HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had</span></p>
<p><span style="background-color: #ff6600;"><span style="background-color: #ffffff;">If you are looking at looping a particular url against a a set of machines you can use&nbsp;same command with the highlighted options.</span></span></p>
<p><span style="background-color: #ff6600;"><span style="background-color: #ffffff;"><em>for /f %i in (C:\temp\server.txt) do @echo %i &amp;&amp; @c:\tools\tinyget.exe -srv:%i -status:200 -uri:"/microsoft/foo.aspx" -rh:"Host: </em><a href="http://www.site1.com\r\nUser-Agent"><em><span style="color: #99cc00;">www.site1.com\</span>r\nUser-Agent</em></a><em>: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\n" -<strong><span style="background-color: #ff6600;">x:10&nbsp; -l:10</span></strong></em></span></span></p>
<p>&nbsp;The above will&nbsp;run 10 threads each 10 times against each server for the url :"/microsoft/foo.aspx". This is not advised to stress test for stress testing you shoud use WCAT from the same resource kit or download from <a href="http://www.iis.net">www.iis.net</a>&nbsp;, but this&nbsp; is great in case you want debug some perf&nbsp; issues for a particular url .&nbsp;&nbsp;</p>
<p>&nbsp;Recently was dealing with a case where there was a typo on a page that was published out , suddenly the content publisher noticed it and reverted the changes . But while testing it he was seeing intermittently the page that had typo . This is what I did to isolate the issues to proxy cache&nbsp;ie, first prove none of my machines was serving the page&nbsp; that had typo . </p>
<p><span style="background-color: #ff6600;"><span style="background-color: #ffffff;"><em>for /f %i in (C:\temp\server.txt) do @echo %i &amp;&amp; @c:\tools\tinyget.exe -srv:%i -status:200 -uri:"/microsoft/foo.aspx"&nbsp;<span style="background-color: #ff6600;"> </span><span style="color: #993300;"><strong><span style="color: #000000;"><span style="background-color: #ff6600;">-testcontainstring:"&lt;correct string&gt;"</span></span></strong> </span>-rh:"Host: </em><a href="http://www.site1.com\r\nUser-Agent"><em><span style="color: #99cc00;">www.site1.com\</span>r\nUser-Agent</em></a><em>: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\n" </em></span></span></p>
<p>if one of my servers was broken the below would have been my output <br />web37<br /><span style="background-color: #ff6600;">ERROR: 0x4b8 : response body does not contain expected string<br />Expected:&lt;correct string&gt;</span><span style="background-color: #ff6600;"><br />Received: &lt;spew of the page content&gt;</span></p>
<p><span style="background-color: #ffffff;">Finally if you are testing against a url that is&nbsp; secure (https)&nbsp; use the highligted option </span></p>
<p><span style="background-color: #ffffff;"><span style="background-color: #ff6600;"><span style="background-color: #ffffff;"><em>for /f %i in (C:\temp\server.txt) do @echo %i &amp;&amp; @c:\tools\tinyget.exe -srv:%i -status:200 -uri:"/microsoft/foo.aspx" <strong><span style="background-color: #ff6600;">-s:3</span></strong>-rh:"Host: </em><a href="http://www.site1.com\r\nUser-Agent"><em><span style="color: #99cc00;">www.site1.com\</span>r\nUser-Agent</em></a><em>: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\n"</em></span></span></span></p>
<p><span style="background-color: #ffffff;"><span style="background-color: #ff6600;"><span style="background-color: #ffffff;">This concludes the 2 part series. In the next post we will cover some fun with permission for cert private keys.</span></span></span></p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3368928&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxHey dude , one of your servers is broken .Part-1http://blogs.technet.com/b/operationsguy/archive/2010/11/10/hey-dude-one-of-your-servers-is-broken.aspx2010-11-10T15:43:00Z2010-11-10T15:43:00Z<p>For engineers who manage IIS clusters one of the main challenges is how to keep content in sync across the farm&nbsp;. One broken server in a farm can cause a broken user experience&nbsp;&nbsp;as when request bounce back between machines they may land on a machine that does not have the content , kicking them over to custom errors or old content. We get at least couple of requests every week on this, when it is high priority business website time is key to isolate the broken machine and remove from rotation.&nbsp; One of the way&nbsp;to troubleshoot this is by pulling the url from all the machines and either look the response code or content length returned. They should be consistent , if you find a machine with a different content length or a error( &gt; 400) status code you isolated the issue. This is how I do it .</p>
<p>1) Launch power shell from a windows 2008 ( with IIS7 powershell module installed )&nbsp;or windows 2008 r2 machine </p>
<p>Add-pssnapin WebAdministration (Windows 2008) </p>
<p>or</p>
<p>import-module webadministration (Windows 2008 r2 )</p>
<p>2) Get the server names from a text file and pipe it to the get-weburl cmdlet . </p>
<p>To look at content lengh if the issue is about out dated content showing up intermittently on server farm </p>
<p><b>Get-Content c:\temp\servers.txt&nbsp; | % {$_;get-weburl -Url </b><a href="http://$_/en-us/lync/sitemap.aspx"><b>http://$_/my/sites/foo.aspx</b></a><b> -ResponseHeaders| %{($_.headers).'Content-Length'}} </b></p>
<p><br /><b>WEB01<br />20134<br />WEB02<br />20134<br />WEB03<br />20134<br />WEB04<br />20134<br />WEB05<br />20134<br />WEB06<br />20134<br /></b><span style="background-color: #ff6600;"><b>WEB07<br />20051 (Broken) </b></span></p>
<p><span style="background-color: #ffffff;">To find a machine which throws 404 or 500 in&nbsp; cluster .</span></p>
<p><span style="background-color: #ffffff;"><b>Get-Content c:\temp\servers.txt&nbsp; | % {$_;get-weburl -Url </b><a href="http://$_/en-us/lync/sitemap.aspx"><b>http://$_/my/sites/foo.aspx</b></a><b> -ResponseHeaders| select responseuri, staus, description</b></span></p>
<p><span style="background-color: #ffffff;"><b>ResponseUri&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Description<br />-----------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; ------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------<br /><a href="http://WEB01/my/sites/foo.aspx"><span style="background-color: #ff6600;">http://WEB01/my/sites/foo.aspx</span></a><span style="background-color: #ff6600;"> ProtocolError&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; URL Rewrite Module Error. (Broken) <br /></span><a href="http://WEB02/my/sites/foo.aspx">http://WEB02/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB05/my/sites/foo.aspx">http://WEB05/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB06/my/sites/foo.aspx">http://WEB06/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB07/my/sites/foo.aspx">http://WEB07/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB08/my/sites/foo.aspx">http://WEB08/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB21/my/sites/foo.aspx">http://WEB21/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB22/my/sites/foo.aspx">http://WEB22/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB23/my/sites/foo.aspx">http://WEB23/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB24/my/sites/foo.aspx">http://WEB24/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB25/my/sites/foo.aspx">http://WEB25/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB26/my/sites/foo.aspx">http://WEB26/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB27/my/sites/foo.aspx">http://WEB27/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB28/my/sites/foo.aspx">http://WEB28/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB41/my/sites/foo.aspx">http://WEB41/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB42/my/sites/foo.aspx">http://WEB42/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK<br /><a href="http://WEB43/my/sites/foo.aspx">http://WEB43/my/sites/foo.aspx</a> OK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OK</b></span></p>
<p><span style="background-color: #ffffff;">OK is a 200. <br /></span>
</p>
<p><span style="background-color: #ffffff;">Well this works great if your server has one website , what if you are doing shared hosting business with multiple sites on the same server, &nbsp;that is when we travel back in time&nbsp; to meet IIS 6 resource kit tool tinyget. That will be covered&nbsp; in the next post. </span></p>
<p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3367411&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxSharepoint 2010 password changes with Powershell. Relief from stsadm.http://blogs.technet.com/b/operationsguy/archive/2010/11/09/sharepoint-2010-password-changes-with-powershell-relief-from-stsadm.aspx2010-11-10T03:51:00Z2010-11-10T03:51:00Z<p>For operation engineers who are experienced with Sharepoint 2007 know&nbsp;&nbsp;the old stsadm process&nbsp;to change passwords&nbsp; <a href="http://support.microsoft.com/kb/934838">http://support.microsoft.com/kb/934838</a>&nbsp; is cumbersome&nbsp;. Sharepoint 2010 is here with powershell integration making it easy to change the passwords for sharepoint managed accounts whose passwords are not set to change automatically when nearing expiration.&nbsp; I&nbsp; use powershell end to end to </p>
<p>1) Change the password in AD for service account. </p>
<p>2) Update the password for the service accounts in the sharepoint 2010 farm .</p>
<p>Here is a quick run through </p>
<p><strong><span style="text-decoration: underline;">Change the password in AD for service account. </span></strong></p>
<p>I assume&nbsp; you can log on to a windows 2008 r2 server in domain where service account exists , you have rights to change the password for the service account. I am using a fictitious account&nbsp; by the name _svc_acct for this scenario</p>
<p>a) After logging into a server in account domain&nbsp; launch powershell </p>
<p style="text-align: left;">b ) Load the AD module</p>
<p style="text-align: left;">import-module activedirectory</p>
<p style="text-align: left;">c) Assign the account name to a variable </p>
<p style="text-align: left;">&nbsp;&nbsp;&nbsp;&nbsp; $account="_svc_acct"</p>
<p style="text-align: left;">d) set the password ( please note this as we will be using this in the next section) </p>
<p style="text-align: left;">&nbsp;&nbsp;&nbsp;&nbsp; Set-ADAccountPassword -Identity $account -OldPassword (ConvertTo-SecureString -AsPlainText &nbsp;"xxxx" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "xxxxx" -Force)</p>
<p style="text-align: left;">e) Check for successful update of the password updation&nbsp; ( out put should show recent tiem stamp) </p>
<p>Get-ADUser $account -properties * | select PasswordLastSet</p>
<p>For engineers who do not have windows 2008 r2 machines , you can always change password through your normal process. </p>
<p><strong><span style="text-decoration: underline;">Update the password for the service accounts in the sharepoint 2010 farm</span></strong> .</p>
<p>&nbsp;a) Log on to the CA in the Farm, launch powershell. &nbsp;Assign the new password from step d in the above section to a variable also store the account to a variable</p>
<p>$account="_svc_acct"</p>
<p>$securepassword=convertto-securestring "xxxxx" -asplaintext -force</p>
<p>b) Retrieve the Sp managed account &nbsp; and pipeline it to the set-spmangedaccount cmdlet</p>
<p>Get-SPManagedAccount Domain\$account | Set-SPManagedAccount -ExistingPassword $securepassword -UseExistingPassword -confirm:$false</p>
<p>Guys tell me this is easy !!</p>
<p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3367189&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashxMy new bloghttp://blogs.technet.com/b/operationsguy/archive/2010/11/09/my-new-blog.aspx2010-11-10T03:22:00Z2010-11-10T03:22:00Z<p>My name is Vincent Baby .I am a member of the MSCOM operations team which manages some of the important Microsoft sites like <a href="http://www.microsoft.com">www.microsoft.com</a>&nbsp;, mobile.Microsoft.com ,downloads.microsoft.com, search.microsoft.com&nbsp; and its associated publishing systems to publish to these sites. In my day to day activities I deal with lot of IIS , share point , Hyper-V, different OS versions from Windows 2003-Windows 2008 R2 . The intention of this blog is to share some of the tips and tricks, best practises &nbsp;that I use daily to resolve our day to day operational issues to keep the website running smoothly. Most of them will be around deployment automation, one liners to push out config changes etc. Stay tuned !!. </p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3367182&AppID=8599&AppType=Weblog&ContentType=0" width="1" height="1">SmartSEhttp://blogs.technet.com/operationsguy/ProfileUrlRedirect.ashx